Web Application Security

Transcription

1 Web Application Security Erwin Huber Head of Research & Development Web Application Security Web Application Security Unit Strong Focus on Web Application Security since 1996 Protection of Web Applications against attacks and manipulation Access Control, Identity Management and Single Sign On for Web environments 17 Employees Top Class Customer References Over 200 customers with more than 500 installations in 8 countries 9 out of 10 banks in Switzerland protect their e-banking with Airlock Indirect Sales Model / direct touch GLOBAL SECURITY ALLIANCE 1

2 Mega Trend: Web Applications e-banking (starts by end of the nineties) e-shops e-government Intranet Portals (emloyees) Extranet Portals (Partner) Web 2.0 Applications / Social Network Collaboration (MS Sharepoint etc) Massive savings, growing customer satisfaction, more visibility So far so good but what is with security Motivation Today s Application Level Attacks are targeted and motivated by Data theft (criminally, commercially) Espionage Reputation damage Malware Deployment (Spam, Botnets) Identity Theft Denial of Service Web Applications & Web Services are the most attractive target as they represent an electronic interface to data Many people say «We never had such a problem» well... how do you know? Application level data theft is not recognized in most cases! 2

3 Effectivity =Security 9/8/2010 How to make web applications more secure? There is no Silver Bullet Web application security is always a combination of instruments Goal: Achieve maximum security with reasonable effort ($) Code Analysis Web Application Firewall Penetration Tests Security Training for developers IPS / Deep Inspection Vulnerability Scanning Efficiency = Value/Cost /time to market Key Criteria for Application Security WHOM are we dealing with? Access Control WHAT are we dealing with? Filtering 3

4 Strategic Web Entry Solution PCI-DSS Compliance Multi-Level Filtering Application Acceleration Access Control, Identity Mgt., Single Sign On ICAP Content Filtering Monitoring & Reporting Multi-Level Filtering 4

5 Dynamic Whitelisting Technologies URL Encryption Effective protection against forceful browsing URLs and parameters 100% protected Topology and technology hiding Dynamic, no static configuration Smart Form Protection Cryptographic protection of HTML forms Only valid inputs allowed Automatic protection of hidden fields, selections, etc Dynamic, no static configuration Cookie Protection Cryptographic protection of application cookies Only valid cookies accepted Privacy & Integrity Dynamic, no static configuration Local cookie store Application dynamically defines valid URLs, parameters and values. Airlock enforces valid usage! Cookie Protection Pass-through (not protected) conventional, cookie may be read and manipulated in browser Same as without airlock Encrypt airlock encrypts cookie before sending it to the browser Cookie not forgeable because a valid encryption is required Store Cookies are not sent to browser but held in the user session on airlock airlock needs its own session tracking (cookie or SSL session) 1) 2) 3) Web Application 5

6 URL Encryption Example User requests start page: Application sends plain URL in HTML: User browser receives encrypted URL: Secured Area DMZ Manipulated requests are blocked: include=../../../../../etc/passwd Error! Key Web Application Security Topics 6

7 Access Control User Airlock Authentication Service User Directory Web Application Authentication enforcement & Single Sign On Authentication may depend on user type, role and origin 7

8 Airlock Secure Active Sync Authentication via SSL client certificate before the access onto Exchange servers Active-Sync specific whitelist-rules Device-independent: Windows Mobile Nokia N-Series Apple iphone Supported Push Calendar & contacts synchronisation Enforcement of data erasing if client is lost or subject to brute force Policy enforcement for e.g. device password Airlock SharePoint Integration 8

9 Your Choice: Airlock benefits! Leading Web application firewall in central Europe Competent and trusted product development in Switzerland Unique and unmatched combination of authentication enforcement, filtering and high security platform Only WAF solution with real dynamic whitelisting (much easier to manage, less operational costs, less application dependencies) Rapid Web-Security Compliance (e.g. PCI-DSS, Certified Secure Web) Thank you! 9